Sunday, June 3, 2012

My greylisting host is offline for unknown reasons. I am still trying to contact the service provider. So there is no data collected from greylisting today.
detection period: 2012-06-02 00:00-23:59 UTC
total number of suspected botnet IPs: 3210
number of botnet IPs notified to network operators: 2970
number of spam blocked: 189455
recipient count of spam blocked: 6356970

The top 10 networks (as found in WHOIS), ordered by number of suspected botnet IPs are:

Rank

Network

# of suspected botnet IPs

1

CHINANET-GD

1602

2

UNICOM-GD

579

3

HINET-NET

353

4

DNSSLAVE5

16

5

000.065.376/0002-65

16

6

002.558.157/0001-62

15

7

CHINANET-JS

13

8

UNICOM-SD

11

9

INFORELAY-NETBLOCK04

11

10

003.420.926/0002-05

11

The top 10 countries (as defined by the 2-character country code), ordered by number of suspected botnet IPs are:

About Botnet Tracker

I submitted a paper titled "Follow the spam: a botnet detection and notification mechanism" (in Chinese) to this year's TANET conference (TANET 2010), and it has been accepted. In that paper, I pointed out the problem with botnet mitigation measures which focus on taking C&C servers offline, described the detection strategy of "follow the spam," and made a general sketch of how I detect and report botnets. So far I have only implemented half of the "follow the spam" strategy. Hope someone else will implement the other half.

My previous work was an open relay detection and notification system (presented at TANET 2006 conference), which was able to uncover more than 1200 open relays (confirmed by ORDB) each month at the time.